smart subtransports: improve safety

Throwing an exception in a native callback is pointless; instead,
carefully protect the entry points to return a native error code (-1) on
failure.  Wrap everything else in a try/catch to propagate error codes.

Author: ethomson

LibGit2Sharp/SmartSubtransport.cs

@@ -81,9 +81,21 @@ public int CertificateCheck(Certificate cert, bool valid, string hostname)
                 Marshal.FreeHGlobal(certPtr);
             }
 
+            if (ret > 0)
+            {
+                ret = valid ? 0 : -1;
+            }
+
             return ret;
         }
 
+        /// <summary>
+        /// Call the credential acquisition callback
+        /// </summary>
+        /// <param name="cred">Credential data to populate</param>
+        /// <param name="user">Username from the URL, if any</param>
+        /// <param name="methods">Supported methods</param>
+        /// <returns></returns>
         public int AcquireCredentials(out Credentials cred, string user, params Type[] methods)
         {
             // Convert the user-provided types to libgit2's flags
@@ -127,6 +139,12 @@ public int AcquireCredentials(out Credentials cred, string user, params Type[] m
             }
         }
 
+        /// <summary>
+        /// libgit2 will call an action back with a null url to indicate that
+        /// it should re-use the prior url; store the url so that we can replay.
+        /// </summary>
+        private string LastActionUrl { get; set; }
+
         /// <summary>
         /// Invoked by libgit2 to create a connection using this subtransport.
         /// </summary>
@@ -202,43 +220,57 @@ private static int Action(
                 SmartSubtransport t = GCHandle.FromIntPtr(Marshal.ReadIntPtr(subtransport, GitSmartSubtransport.GCHandleOffset)).Target as SmartSubtransport;
                 String urlAsString = LaxUtf8Marshaler.FromNative(url);
 
-                if (null != t &&
-                    !String.IsNullOrEmpty(urlAsString))
+                if (t == null)
                 {
-                    try
-                    {
-                        stream = t.Action(urlAsString, action).GitSmartTransportStreamPointer;
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "no subtransport provided");
+                    return (int)GitErrorCode.Error;
+                }
 
-                        return 0;
-                    }
-                    catch (Exception ex)
-                    {
-                        Proxy.giterr_set_str(GitErrorCategory.Net, ex);
-                    }
+                if (String.IsNullOrEmpty(urlAsString))
+                {
+                    urlAsString = t.LastActionUrl;
+                }
+
+                if (String.IsNullOrEmpty(urlAsString))
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "no url provided");
+                    return (int)GitErrorCode.Error;
                 }
 
-                return (int)GitErrorCode.Error;
+                try
+                {
+                    stream = t.Action(urlAsString, action).GitSmartTransportStreamPointer;
+                    t.LastActionUrl = urlAsString;
+                    return 0;
+                }
+                catch (Exception ex)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, ex);
+                    return (int)GitErrorCode.Error;
+                }
             }
 
             private static int Close(IntPtr subtransport)
             {
                 SmartSubtransport t = GCHandle.FromIntPtr(Marshal.ReadIntPtr(subtransport, GitSmartSubtransport.GCHandleOffset)).Target as SmartSubtransport;
 
-                if (null != t)
+                if (t == null)
                 {
-                    try
-                    {
-                        t.Close();
-
-                        return 0;
-                    }
-                    catch (Exception ex)
-                    {
-                        Proxy.giterr_set_str(GitErrorCategory.Net, ex);
-                    }
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "no subtransport provided");
+                    return (int)GitErrorCode.Error;
                 }
 
-                return (int)GitErrorCode.Error;
+                try
+                {
+                    t.Close();
+
+                    return 0;
+                }
+                catch (Exception ex)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, ex);
+                    return (int)GitErrorCode.Error;
+                }
             }
 
             private static void Free(IntPtr subtransport)

LibGit2Sharp/SmartSubtransportStream.cs

@@ -107,56 +107,71 @@ private unsafe static int Read(
                 SmartSubtransportStream transportStream =
                     GCHandle.FromIntPtr(Marshal.ReadIntPtr(stream, GitSmartSubtransportStream.GCHandleOffset)).Target as SmartSubtransportStream;
 
-                if (transportStream != null &&
-                    buf_size.ToUInt64() < (ulong)long.MaxValue)
+                if (transportStream == null)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "no transport stream provided");
+                    return (int)GitErrorCode.Error;
+                }
+
+                if (buf_size.ToUInt64() >= (ulong)long.MaxValue)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "buffer size is too large");
+                    return (int)GitErrorCode.Error;
+                }
+
+                try
                 {
                     using (UnmanagedMemoryStream memoryStream = new UnmanagedMemoryStream((byte*)buffer, 0,
                                                                                           (long)buf_size.ToUInt64(),
                                                                                           FileAccess.ReadWrite))
                     {
-                        try
-                        {
-                            long longBytesRead;
+                        long longBytesRead;
 
-                            int toReturn = transportStream.Read(memoryStream, (long)buf_size.ToUInt64(), out longBytesRead);
+                        int toReturn = transportStream.Read(memoryStream, (long)buf_size.ToUInt64(), out longBytesRead);
 
-                            bytes_read = new UIntPtr((ulong)Math.Max(0, longBytesRead));
+                        bytes_read = new UIntPtr((ulong)Math.Max(0, longBytesRead));
 
-                            return toReturn;
-                        }
-                        catch (Exception ex)
-                        {
-                            Proxy.giterr_set_str(GitErrorCategory.Net, ex);
-                        }
+                        return toReturn;
                     }
                 }
-
-                return (int)GitErrorCode.Error;
+                catch (Exception ex)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, ex);
+                    return (int)GitErrorCode.Error;
+                }
             }
 
             private static unsafe int Write(IntPtr stream, IntPtr buffer, UIntPtr len)
             {
                 SmartSubtransportStream transportStream =
                     GCHandle.FromIntPtr(Marshal.ReadIntPtr(stream, GitSmartSubtransportStream.GCHandleOffset)).Target as SmartSubtransportStream;
 
-                if (transportStream != null && len.ToUInt64() < (ulong)long.MaxValue)
+                if (transportStream == null)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "no transport stream provided");
+                    return (int)GitErrorCode.Error;
+                }
+
+                if (len.ToUInt64() >= (ulong)long.MaxValue)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, "write length is too large");
+                    return (int)GitErrorCode.Error;
+                }
+
+                try
                 {
                     long length = (long)len.ToUInt64();
 
                     using (UnmanagedMemoryStream dataStream = new UnmanagedMemoryStream((byte*)buffer, length))
                     {
-                        try
-                        {
-                            return transportStream.Write(dataStream, length);
-                        }
-                        catch (Exception ex)
-                        {
-                            Proxy.giterr_set_str(GitErrorCategory.Net, ex);
-                        }
+                        return transportStream.Write(dataStream, length);
                     }
                 }
-
-                return (int)GitErrorCode.Error;
+                catch (Exception ex)
+                {
+                    Proxy.giterr_set_str(GitErrorCategory.Net, ex);
+                    return (int)GitErrorCode.Error;
+                }
             }
 
             private static void Free(IntPtr stream)